Maryland hospital: Ransomware success wasn’t IT department’s fault

MedStar denies ransom payment, denies earlier JBoss bugs played role.

MedStar, the health network of 10 Maryland hospitals struck by a ransomware attack last week, has now reportedly brought all its systems back online without paying attackers. But a MedStar spokesperson denied reports that the attack was made possible because the health provider's IT department failed to make fixes to systems that had been issued years ago. Ars will publish an in-depth analysis of the techniques used by the Samsam ransomware attackers this Friday.

Tami Abdollah of the Associated Press reported Tuesday that an anonymous source "familiar with the investigation" of the cyberattack claimed that the flaws that allowed attackers to compromise a JBoss Web application server and attack the network with Samsam crypto-ransomware had been highlighted in security warnings from JBoss maintainer Red Hat, the US government and others in February 2007, March 2010, and again this month.

MedStar denies that the earlier warnings—including one issued as a security advisory by Red Hat in April 2010—had anything to do with the attack, according to the findings of a response team from Symantec. "News reports circulating about the malware attack on MedStar Health’s IT system are incorrect," a MedStar spokesperson said in a statement. "Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis, as they have done for many other leading companies around the world. In reference to the attack at MedStar, Symantec said, 'The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.'"

The most recent Red Hat warning was actually issued in February, citing a JBoss vulnerability that allowed an "untrusted" XML document to be passed to the application server's Java Standard Tag Library, potentially allowing malicious code to run on the server. Another exploit that may have been used in the attack, involving a flaw in how a library in JBoss converts serialized streams of bytes back into Java objects, was the subject of a Red Hat security advisory in December 2015.

Analysis of other Samsam attacks shows that the most likely cause of the attack on MedStar is an improperly installed JBoss server. The installation appears to have used the default settings that left access to the server's management interface open to the Internet. That sort of misconfiguration is what the JexBoss tool used by the Samsam ransomware operators leverages to install a remote command shell.

MedStar refused to respond to Ars Technica's inquiries about the attack. In the statement released to media, MedStar's spokesperson said, "As we have said before, based on the advice of IT, cybersecurity and law enforcement experts, MedStar will not be elaborating further on additional aspects of this malware event. This is not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other healthcare organizations and companies." The spokesperson claimed the hospital had "no evidence of any compromise of patient or associate data… furthermore, we are pleased that we brought our systems back up in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners."